Data Privacy Requires a Security Response
GDPR affords EU residents more control over personal information
- By Mohammed Murad
- Oct 01, 2019
Recent hacks into databases of some of the world’s
biggest corporations and government organizations
put the personal information of billions of
people at risk. Data intended to remain private is
showing up for sale on the internet, privacy has
become a worldwide concern, and citizens are losing faith in the
way their data is collected, stored and protected.
The European Union took a big step last year to ease its citizen’s
concerns with the enaction of the General Data Protection
Regulation (GDPR). EU residents now have much more control
over their personal information. The GDPR requires they know
what data is being collected, how it is being used and how they
can opt in, not out, of a company’s database.
What constitutes personal data? That’s broadly defined to include
just about anything that could be used to identify a person,
including name, home and email addresses, birthdate, driver license
number, gender, race, political affiliations and much more.
Although the GDPR specifically applies to nations within the
EU, it has worldwide implications. Any organization, no matter
where it’s based, that collects data gathered from an EU citizen
must comply with the regulation. Failure to do so can result in
penalties of up to €20 million or 4 percent of a company’s annual
The European privacy movement has sparked a worldwide
response. In the U.S., more than 10 states have enacted tougher
regulations to protect its citizens’ personal data. Perhaps the most
GDPR-like will take effect on January 1 in California. Online
sites will be required to conspicuously post a “Do Not Sell My
Personal Information” link. Parental consent will be required before
selling data about a child under the age of 13.
The security industry was not a prime target of the GDPR, but
it will feel an impact in the way organizations collect and use video
surveillance and access control data. In the EU, video is considered
to be personal data belonging to those captured in live or recorded
images. By its nature, access control requires personal information
from employees and vendors in return for a pass to enter facilities.
Organizations must have clearly defined goals for its security
functions. That means being ready to explain camera placements,
what images they expect to capture, and how the video will be
used, stored and shared. How video will be shared may be the
most critical component.
Strict cybersecurity controls are required to ensure securityrelated
data can be viewed only by authorized personnel that may
include corporate staff, law enforcement or even a hosted or managed
service provider or central monitoring station.
It is obvious passwords protecting data can be hacked. They
can also be shared.
Adding a card reader or keypad to a workstation provides a
second layer of security. Yet there’s no guarantee the person using
the card or entering a Personal Identification Number (PIN) has
been authorized to do so.
This is where biometrics can play an important role in securing
databases. Passwords, cards and PINs can be hacked, shared
or stolen; a biometric identifier cannot. Biometrics offer a way
for our industry to meet security goals for the protection of data
while also restoring public confidence.
Biometrics involve the measurement of physical characteristics,
something only the owner can possess. The most commonly used
biometrics include iris patterns, fingerprints and facial recognition.
Combining biometric and access readers or a keypad at the PC creates
true two-factor authentication. Passwords can be eliminated
while the database remains accessible only to authorized users.
The use of biometric technologies is now commonplace
worldwide. You see them embedded in smartphones, at border
crossings and in use for time and attendance, national ID cards,
voter registration and more. Biometric readers can also authenticate
consumers registering for websites or making purchases on
Among the major biometric technologies, iris recognition is
widely considered the most accurate. No two people, even identical
twins, have the same iris patterns. The technology works with
people wearing glasses, contact lenses and safety goggles. It’s not
affected by grease, dirt or scars as are fingerprint readers. Iris
technology works with very large databases where facial recognition
has been shown to be less effective.
GDPR and its goals have arrived with the simple concept
that citizens have a right to know the information being collected
about them, how it is used and be provided with an easy way to
delete their data at any time.
The security industry should see GDPR and efforts at the state
level in the U.S. as driving positive changes and eliminating inefficient
data protection efforts. At the same time, we need to employ
tools readily available to restore citizens’ sense of privacy whether
they are completing an online transaction or
engaging with a security system. A failure to
act now may result in a more severe backlash
that could negatively impact how we protect
people and their personal data.
This article originally appeared in the October 2019 issue of Security Today.